Federal Agencies Improve Grades in Information Security

The federal government got an overall grade of C-minus for their cyber-security efforts in 2006, a congressional oversight committee said today.

The report card, first reported yesterday by washingtonpost.com's Brian Krebs in his Security Fix blog, shows the grade is less than stellar. But the House Government Oversight and Reform Committee said it's an improvement over the last eight years, when federal agencies received a grade of D-plus or worse on the annual report card.

"This grade indicates slow by steady improvement from the past years," said Rep. Tom Davis (R-Va.) when the grade was released today at the Virginia Center for Innovative Technology. "Obviously, challenges remain. But there are some excellent signs of progress in this year's report, and that's encouraging."

Some agencies improved their efforts in safekeeping information, but others fell down on the job. Over the past year, the Department of Justice jumped from a D to an A-minus, and the Department of Housing and Urban Development rose from a D-plus to an A-plus. The Department of Homeland Security climbed from an F to a D. NASA, on the other hand, fell from a B-minus to a D-minus, and the Department of Education fell from a C-minus to an F.

The congressional committee based the grades on internal agency assessments and annual reports agencies submit each year to comply with the Federal Information Security Management Act, which Davis wrote and helped pass in 2002. Several agencies have taken full inventories of their information security systems--a key step toward improvement, Davis said. He added, though, that many still need to configure those systems more securely and better train IT employees.

Some question the accuracy and value of the report card. A recent survey of federal chief information security officers, conduced by the Merlin International Federal Research Consortium, shows that the grades do not take into account the different needs of large and small agencies.

Also, 75 percent of the officers surveyed said the grades had little or no impact on the agency's IT security funding, which provides no incentive to improve.

The top officials at agencies with poor grades often have to explain their performance to the committee, a process "that creates a great deal of pain and anxiety," said Christopher Fountain, chief executive of SecureInfo, a McLean company that helps federal agencies secure the information systems.

He said the grading system has helped raise awareness about the need to be more careful with sensitive information, but he agreed that the grades do not necessarily reflect an agency's security. The Department of Defense, for example, received a failing grade. "But I know they do a very good job with their systems," he said.

Fountain said a more accurate way of testing an agency's armor against cyber attacks is through "ethical hacking," or staging internal breaches to find and fix vulnerable areas.

"It's better for the good guys to find the holes than to wait for the bad guys to exploit them," he said.